View
262
Download
6
Category
Preview:
Citation preview
ALPC Fuzzing Toolkit
Ben Nagy
PSA WARNINGS
- ALLERGY: Some Recycled Material
- SPOILER: Not Really About Kernel Fuzzing
- TRIGGER: Neckbeards
About Me:
- Not oldsk00l. Just old.
- ~ 11 weeks kernel experience
- ~ 8 years fuzzing experience
- ~ 25 years nerding experience
- Hate all Technology
- Certified Windows Internals Expert!
Disclaimer:I am aware of the prevailing opinion that fuzzing talks
without bugs suck, by definition. I do not have any bugs. Even
if I did have bugs, I wouldn’t tell you. There are no bugs.
Fuzzing Made Simple
• Select a Good Target
• Acquire Essential Knowledge
• Apply Fuzzing Canon
– How do we Deliver
– How do we Instrument
– How do we Generate
– How does that Scale
Phase I - Target Selection
Target: ALPC
Why ALPC?
• New
• Tricky
• Undocumented
• Everywhere
What Bug Classes?
• Privesc to SYSTEM(+) from anywhere
• Memory Helpers
– Fill memory
– Disclose?
• DoS
• “Jackpot” bug?
ALPC What Do?
• Interprocess Communication
• New in Vista+
• Low Level
• Sync / Async, Fast, Awesome
http://www.syscan.org/index.php/download/get/d596c7dc486175148fc038387dc80be2/SyScan2014_AlexIonescu_AllabouttheRPCLRPCALPCa
ndLPCinyourPC.zip
ALPC What Do?
• Shared Memory Views
• IO Completion Ports
• Lots of security, enforced by the kernel
• TOCTOU Safe
http://www.syscan.org/index.php/download/get/d596c7dc486175148fc038387dc80be2/SyScan2014_AlexIonescu_AllabouttheRPCLRPCALPCa
ndLPCinyourPC.zip
ALPC What Do?
• RPC / RPC-DCOM run on it
• Can also be used directly
• Imagine it like a network
http://www.syscan.org/index.php/download/get/d596c7dc486175148fc038387dc80be2/SyScan2014_AlexIonescu_AllabouttheRPCLRPCALPCa
ndLPCinyourPC.zip
Userland
service.exefoo.exe
RPC
© Sven Micklish
Not how it works, yo
© Sven Micklish
(ohai I’m Barry)
Kernel Recap
Userland
ntdll
kernel32 Public
Internal
“NT Executive”
IO USER GDI
Drivers
Drivers
Drivers
Hardware
More Complicated Stuff
Boring / Complicated
“NT Executive”
Userland
ntdll
kernel32
IO USER GDI
Drivers
Drivers
Drivers
Hardware
More Complicated Stuff
Boring / Complicated
1. Setup syscall args
2. syscall number in eax
3. int2e / sysenter / syscall
( “context switch” )
4. Lookup syscall in SSDT
5. Dispatch to correct
component
© Sven Micklish
Kernel has Objects.
There are many kinds.
© Sven Micklish
They go in Directories
Object Manager manages them
(duh.)
… where were we?
Userland
service.exefoo.exe
RPC
Userland
foo.exe
ALPC
Object Manager
ALPC Port ALPC Port
Port Handle
service.exe
Port Handle
First, establish an ALPC
connection…
Userland
foo.exe
ALPC
Object Manager
ALPC Port ALPC Port
Port Handle
service.exe
Port Handle
RPC Bind
RPC Accept
Userland
foo.exe
ALPC
Object Manager
ALPC Port ALPC Port
Port Handle
service.exe
Port Handle
RPC
Phase II - Acquire Knowledge
ALPC Surface
ALPC Attack Surface
• Who talks to whom?
• Which processes have open ports?
lrn2kd, n00b!
lrn2code?
• https://github.com/bnagy/rBuggery• Ruby wrapper for dbgeng.dll ( windbg )• Fully scriptable debugger
– kernel debugging– LOCAL kernel debugging
• Unique Features:–Actually works
Cutting Edge Tech
Know what the Windows Kernel needs?
A JSON API!
–Wrap rBuggery with Sinatra
–Connect with Go
–Map ALPC
–Drink Barry’s salty ragetears
alpcmap
• Start debugger bridge on Windows
• Connect from anywhere
• Maps ports, serves webapp graph
• https://github.com/bnagy/alpcmap
wat?stahp!
alpcmap
• Automates and parses:– !alpc /lp, /lpc, /p
–dt nt_OBJECT_HEADER
– !token
– !sd
– !object
– !process
–…
Initiating demonstration…
Phase III - Generation
What to send?
Phase III - Generation
Examine existing messages!
ALPC Message Logging
• Event Tracing for Windows (ETW)?
• advapi32 has StartTrace() …
• EVENT_TRACE_FLAG_ALPC …
• SystemTraceControlGuid …
• CODEZ!
ALPC Message Logging
• Hacked StartTrace() support into w32
–Needs lots of support cruft
ETW
FAIL
lrn2google
DOUBLE
FAIL… The message contents aren’t even in the ETW output
only the Message IDs
Undocumented !alpc switch /lm !!
Set “AlpcMessageLog” in
HKLM\CCS\Control\Session !!
Use this sweet trick to add private ALPC_MESSAGE_LOG symbol!!
symbol.c
That’s a private symbol!
cl.exe /Zi /Gz /c /Fdntkrnlmp
/IC:\WinDDK\7600.16385.1\inc\ddk
/IC:\WinDDK\7600.16385.1\inc\crt
/D_X86_=1 symbols.c
Pass in the existing .pdb
It will be modified in-place
(so save a copy)
// FIXME
FAIL
Oh, BTW, /lm only works in Vista…
(except debug builds)
ALPC Message Logging
FINE! Let’s use rBuggery then.
ntdll!ZwAlpcSendWaitReceivePort:
4c8bd1 mov r10,rcx
b882000000 mov eax,82h
0f05 syscall
c3 ret
Message contents added
and removed here ;-)
ALPC Message Logging
x64 fastcall uses registers for first 4 args, but
space is still reserved for them on the stack…
Breakpoint Callback
ᕕ( ಠ‿ಠ)ᕗ
Sappy Moralizing Interlude
• Learned cool stuff while failing
• Presenting failure helps everyone
DEMO?
No.
Phase IV - Delivery
ALPC Programming
“What I cannot create, I do not understand”~ Feynman
Programming with ALPC
• Very little documentation!–New Edition of Windows Internals
–Some LPC stuff on j00ru’s blog
–Alex Ionescu’s trainings
–ntlpcapi.h
–This project ( didn’t test )– https://github.com/avalon1610/ALPC/tree/master/ALPC
Why use Go?
• Compiled.
–Windows users can ship binaries
• Idiomatic Windows binding ( w32 )
• cgo - use headers directly in a pinch
• Hate others using my code
foo.exe service.exe
NtAlpcConnectPort()
NtAlpcAcceptConnectPort()
• Server can refuse
• Connection message optional
Connection
Port
foo.exe service.exe
Connection
Port
Communication
Port
Communication
PortNtAlpcSendWaitReceivePort()
Servers only wait on one port!
Your flippant manner
wearies me. Display your
pathetic code immediately.
Connection - Client
Acceptance - Server
Receive Loop - Client
Note same buffer for send / recv…
Your puerile code lacks all ability to
dispatch to multiple clients.
Clarify the mechanism
whereby this is achieved.
© Sven Micklish
Context Attributes!
Message Attributes
• Context - opaque struct
• Security
• Data View - share memory
• Handle - share handles
Secured “in transit” by the kernel
Capture
Expose and Cast
FAILS?
ALPC Programming Tips
• ntstatus.h - learn it, live it, love it
• Zero out reused buffers / headers
• Initialize struct Length fields
• Double check your flags
–ALPC_PORFLG_*
–ALPC_MSGFLG_*
Code - Go
• https://github.com/bnagy/w32
• https://github.com/bnagy/alpcgo
– High level API
– alpcechocli / alpcechosrv
– alpcbridge ( jsonrpc API )
Whoa! I can connect with 5 lines of python!
Rust or Haskell would clearly
have been a more felicitous choice.
WHAN RELEASE FUZZER??
RAF
• https://github.com/bnagy/raf
• Three “fuzzers”
• Some support tools
raf.rb
• ALPC Connection Message Fuzzer
–It’s a POC, it will never find bugs
–Corpus from Works of Chaucer
–Gets tests from radamsa server
–Sends via alpcrest
parus_major.rb
• ALPC MitM Fuzzer, Serverside
• Attach to a process
• MitM fuzz all messages
–Can restrict via PID and/or ALPC Port
• Uses dbgeng / BP hooks
parus_minor.rb
• ALPC MitM Fuzzer, Clientside
• Fuzz outgoing messages from PID x to one ALPC port
alpclive.rb
• Attach to a target
• Local kernel debug
–Map all userland handles to ALPC Ports
• Now, userland debug:
–Track packet counts
–Update for new connections
alpclive.rb
• Good for targeting
• Exercise the source app, watch the ALPC traffic patterns
Tips
• Don’t touch the ALPC PORT_HEADER
• Exceptions like 0x000006f7 are LRPC
• You might get disconnected
–(most apps reconnect, and it’s fine)
Tips
• Some services don’t come back
• Reboots are fun!
• Disable WER
Instrumentation
• Userland Issues–“Normal” Exception instrumentation
–RADAR – http://technet.microsoft.com/en-us/library/dd393057(WS.10).aspx
–ProcDump– http://technet.microsoft.com/en-us/sysinternals/dd996900.aspx
Instrumentation
• BSOD Logging?
–Dump to disk
Scale
•
My work here is done
Thanks:– Alex Ionescu
– @miaubiz
Contact:– ben@lrn2google.com
– @rantyben
– github.com/bnagy
ilu, bai
Questions?
DEMO?
DEMO!
Recommended